On 25 August 2020, the CSSF published Circular 20/750 implementing the EBA Guidelines on ICT and security risk management in Luxembourg. These guidelines establish a consistent approach to the mitigation and management of these risks in all EU countries.
Are you ready for the Circular? Download our self-assessment to assess your preparedness and define a response plan.
The EBA Guidelines provide clarity on the management and mitigation of ICT and security risk management, stating that:
- ICT risks must be part of financial institutions’ general governance and risk management procedures, crisis management protocols, and business continuity planning. This will reduce the risk of ICT failures and make it easier for institutions’ to recover and respond when such failures do occur.
- Of particular importance are the ICT and security risk management framework and information security framework. These documents should be approved periodically at the highest level by the management body.
The guidelines consist of 97 requirements across the following areas:
- Governance and strategy
- ICT and security risk management framework
- Information security
- ICT operations management
- ICT project and change management
- Business continuity management
- Payment service user relationship management
Scope of application
As per the EBA guidelines, banks, investment firms, and payment and electronic money institutions are all in scope of Circular 20/750. In Luxembourg, the CSSF has extended the scope to include both specialized and support PSFs.
Updates to existing circulars
Circular 12/552 has been updated to cross-reference the new guidelines with significant updates to points 85 and 86 with regards to the IT and Information Security Officers.
Circular CSSF 19/713 has been repealed. The guidelines implemented by the CSSF 20/750 circular supersede those in the CSSF 19/713 circular on payment services.
Banks providing payment services are required to send the CSSF an up-to-date and exhaustive risk assessment on a yearly basis. This risk assessment should be signed by authorized management and submitted no later than 30 April.
Payment and electronic money institutions need to include the same exhaustive risk assessment in their management report on internal controls. A new section has been added for this purpose. Submission deadlines remain unchanged.